CVE-2026-41323

HIGH 8.1

Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise. Versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4 patch the issue.

CWE	CWE-200 CWE-918
Vendor	kyverno
Product	kyverno
Published	Apr 24, 2026

Stay Ahead of the Next One

Get instant alerts for kyverno kyverno

Be the first to know when new high vulnerabilities affecting kyverno kyverno are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

kyverno / kyverno

< 1.16.4 >= 1.17.0-rc1, < 1.17.2-rc1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kyverno/kyverno/security/advisories/GHSA-f9g8-6ppc-pqq4 github.com: https://github.com/kyverno/kyverno/commit/bc4f91c4801b1eaa2edc0a14e2f1b0af8cf0c1f5 github.com: https://github.com/kyverno/kyverno/commit/c2eab00033e635bda4e4efb58c1b472b41728bb6 github.com: https://github.com/kyverno/kyverno/commit/f70e8ac1e7acd2e3844f9553e4a884f07f953de0